As the CCPA’s effective date approaches, businesses are actively monitoring how companies will update their websites and privacy notices to comply with the new disclosure requirements of the Act. While many companies are prepared to update their websites at the end of the year, websites that are preemptively changed before year-end are reviewed and scrutinized for signs of emerging industry standard practice.
To-date, the placement of a “do not sell” link on a website has not arisen to the level of an industry practice.
In order to help companies understand and benchmark standards and practices, BCLP analyzed a random sample of the privacy notices of Fortune 500 companies.1 Based upon that sample, and as of December 20, 2019, only 4% of the total sample population had placed a “Do Not Sell My Personal Information” link either within their privacy notice or on their homepage.2 The percentage is slightly higher when viewed as a function of only those websites that have already updated their privacy notices for the CCPA. Within that sub-sample, 18% of companies have included a “Do Not Sell My Personal Information” link.
Interestingly, none of the companies that have included such a link appear to have a working mechanism for effectuating a “do not sell” request. One company’s link takes users to a data subject request portal that does not contain a “do not sell” option; the other company’s link takes users to an online chat bot that does not respond to requests for information not to be sold. It remains to be seen whether regulators and the plaintiff’s bar will view the inclusion of a link that is not functional as raising legal concerns under the Federal Trade Commission Act (“FTCA”) and state Unfair and Deceptive Trade Practice Acts (“UDTPA”).